Bug 1357665
Summary: | named-pkcs11.service failed to start after normal system upgrade | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robbie Harwood <rharwood> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 23 | CC: | abokovoy, arthur-fayzullin, blipton, dominick.grift, dwalsh, ipa-maint, jhrozek, jpazdziora, lvrabec, mgrepl, mkosek, plautrba, pspacek, pvoborni, rcritten, rharwood, richard.berg, roberto.cornacchia, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-158.23.fc23 selinux-policy-3.13.1-158.24.fc23 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-09-29 22:52:36 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robbie Harwood
2016-07-18 19:44:48 UTC
Are there any AVCs? Could you check file permissions of: chmod 770 /var/lib/ipa/dnssec chmod 644 /etc/ipa/dnssec/softhsm2.conf To check if it is not: https://fedorahosted.org/freeipa/ticket/5520 What is the freeipa-server version? The one in F23 - freeipa-4.2.3-2.fc23? (In reply to Petr Vobornik from comment #1) > Are there any AVCs? type=USER_AVC msg=audit(1468865282.020:159): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/dev/null" cmdline="/usr/bin/systemctl reload named.service" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:null_device_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' repeated several times. > Could you check file permissions of: > chmod 770 /var/lib/ipa/dnssec drwxr-x---. 3 999 25 4096 Mar 11 16:13 var/lib/ipa/dnssec > chmod 644 /etc/ipa/dnssec/softhsm2.conf -rw-r--r--. 1 0 0 145 Jun 20 14:59 etc/ipa/dnssec/softhsm2.conf > To check if it is not: https://fedorahosted.org/freeipa/ticket/5520 > > What is the freeipa-server version? The one in F23 - freeipa-4.2.3-2.fc23? Correct. I got the same error (Failed to enumerate object store in /var/lib/ipa/dnssec/tokens) today after restarting named-pkcs11.service. Versions: bind.x86_64 32:9.10.3-13.P4.fc23 @updates freeipa-server.x86_64 4.2.4-1.fc23 @updates selinux-policy.noarch 3.13.1-158.21.fc23 @updates AVCs: type=AVC msg=audit(1469039718.528:63783): avc: denied { read } for pid=3675 comm="named-pkcs11" name="tokens" dev="dm-1" ino=6448714 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1469039718.528:63784): avc: denied { getattr } for pid=3675 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/73c216bf-fe3e-03e3-0c89-45892f9492ed/token.object" dev="dm-1" ino=6448716 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469039718.528:63785): avc: denied { read write } for pid=3675 comm="named-pkcs11" name="generation" dev="dm-1" ino=6448718 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469039718.528:63786): avc: denied { open } for pid=3675 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/73c216bf-fe3e-03e3-0c89-45892f9492ed/generation" dev="dm-1" ino=6448718 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469039718.528:63787): avc: denied { lock } for pid=3675 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/73c216bf-fe3e-03e3-0c89-45892f9492ed/generation" dev="dm-1" ino=6448718 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469040532.448:64481): avc: denied { search } for pid=14294 comm="named-pkcs11" name="ipa" dev="dm-1" ino=73407 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469040546.833:64527): avc: denied { getattr } for pid=14364 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens" dev="dm-1" ino=6448714 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1469040546.833:64528): avc: denied { open } for pid=14364 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens" dev="dm-1" ino=6448714 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1469040742.312:64725): avc: denied { read } for pid=16899 comm="named-pkcs11" name="tokens" dev="dm-1" ino=6448714 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 This didn't help: restorecon -r /var/lib/ipa/dnssec I currently use this local policy as a workaround: module named_local 1.0; require { type named_t; type ipa_var_lib_t; class dir { open getattr search read }; class file { getattr open read lock write }; } #============= named_t ============== allow named_t ipa_var_lib_t:dir { open getattr search read }; allow named_t ipa_var_lib_t:file { lock open getattr read write }; Please add output from rpm -q freeipa-server-dns selinux-policy Does it work in permissive mode? I suspect that it will. Please gather AVCs from run in permissive mode. After that we can switch the bug to SELinux-policy component. Thank you! rpm -q freeipa-server-dns selinux-policy freeipa-server-dns-4.2.4-1.fc23.x86_64 selinux-policy-3.13.1-158.21.fc23.noarch It works when named_t is set to permissive: semanage permissive -a named_t Output from "ausearch -m avc -r -ts recent -se named_t" with permissive named_t: type=AVC msg=audit(1469106284.705:75828): avc: denied { read } for pid=17496 comm="named-pkcs11" name="tokens" dev="dm-1" ino=6448714 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1469106284.705:75829): avc: denied { getattr } for pid=17496 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/73c216bf-fe3e-03e3-0c89-45892f9492ed/token.object" dev="dm-1" ino=6448716 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469106284.705:75830): avc: denied { read write } for pid=17496 comm="named-pkcs11" name="generation" dev="dm-1" ino=6448718 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469106284.705:75831): avc: denied { open } for pid=17496 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/73c216bf-fe3e-03e3-0c89-45892f9492ed/generation" dev="dm-1" ino=6448718 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469106284.705:75832): avc: denied { lock } for pid=17496 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/73c216bf-fe3e-03e3-0c89-45892f9492ed/generation" dev="dm-1" ino=6448718 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 With "semanage dontaudit off" there are a couple of more AVCs: type=AVC msg=audit(1469106332.532:75882): avc: denied { getattr } for pid=18338 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens" dev="dm-1" ino=6448714 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1469106332.532:75883): avc: denied { read } for pid=18338 comm="named-pkcs11" name="tokens" dev="dm-1" ino=6448714 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1469106332.532:75884): avc: denied { open } for pid=18338 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens" dev="dm-1" ino=6448714 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1469106332.532:75885): avc: denied { getattr } for pid=18338 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/73c216bf-fe3e-03e3-0c89-45892f9492ed/token.object" dev="dm-1" ino=6448716 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469106332.532:75886): avc: denied { read write } for pid=18338 comm="named-pkcs11" name="generation" dev="dm-1" ino=6448718 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469106332.532:75887): avc: denied { open } for pid=18338 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/73c216bf-fe3e-03e3-0c89-45892f9492ed/generation" dev="dm-1" ino=6448718 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1469106332.532:75888): avc: denied { lock } for pid=18338 comm="named-pkcs11" path="/var/lib/ipa/dnssec/tokens/73c216bf-fe3e-03e3-0c89-45892f9492ed/generation" dev="dm-1" ino=6448718 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1 Thanks, so it will be a SELinux policy bug. I'm going to change component. Thank you for patience! Is this related to Fedora 24 bug 1333106 and/or RHEL 7 bug 1350957? Could we get the fixes backported to Fedora 23? Is this a dupe of bug 1363967? selinux-policy-3.13.1-158.24.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524 selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f739cc7524 selinux-policy-3.13.1-158.24.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |